Who should conduct the risk assessment? What is the DPO's role in this area?

ANSWER

Conducting a risk analysis under the GDPR is the responsibility of the data controller. It is the controller who is responsible for identifying and assessing threats related

to personal data processing and for implementing appropriate technical

and organizational measures to minimize them. However, in practice fulfilling this obligation requires the involvement of many people and departments in the organization.

The Data Protection Officer (DPO) plays a key role in the risk analysis process. As a person with unique knowledge and experience in the field of personal data protection, the DPO should actively support the controller in conducting the risk analysis. In particular, the DPO can provide valuable guidance on the methodology for performing the risk analysis, helping to select appropriate tools and procedures and to assess the effectiveness of the safeguards applied.

In practice, conducting a risk analysis requires active involvement of various departments

in the organization. Business, IT and the DPO must cooperate to assess all aspects of risk related to personal data processing. The business department provides information on data processing processes and their importance for the company's operations. The IT department identifies technical threats and proposes appropriate safeguards. The DPO, meanwhile, monitors compliance with the GDPR and advises on matters related to personal data protection.

Recent decisions of the Polish Data Protection Authority (UODO) on DPO independence should also be taken into account. UODO emphasises that the DPO must be independent in performing their duties, which means they should not be engaged in operational tasks that could undermine their independence. In the context of risk analysis, this means that the DPO should advise

and support, but should not be responsible for conducting the analysis itself.